Can Korean consumers join a class action over a data breach by an app, and what compensation is realistic?

TL;DR: While a 'class action' against the data controller is possible, conservative damage awards by Korean courts typically render such lawsuits impractical. As an aside, 'class action' lawsuits (where a representative plaintiff sues on behalf of a class with similar or identical claims) are limited to securities litigation in Korea. There have been discussions about implementing class action lawsuits more broadly but nothing has been legislated yet. In any case, this is just a technicality - multiple plaintiffs with similar claims can still join in to file a single lawsuit together (usually under shared legal representation), which is technically not a class action but achieves a similar effect nonetheless. For simplicity's sake, we'll use the term 'class action' in this response. Under Korean tort law, damages are divided into pecuniary (for financial harm) and non-pecuniary damages (for emotional distress). Also, punitive damages are generally not recognized, and the burden typically lies with the plaintiff to establish both the occurrence and the specific amount of damages. Since personal data breaches rarely result in immediate, quantifiable financial harm, establishing damages is often challenging in such cases. To address this issue, the Personal Information Protection Act (PIPA, the primary data protection legislation in Korea) offers two key protections: (1) data subjects who suffered data breach may claim reasonable damages of up to KRW 3 million, and (2) the burden of proof is shifted to the data controller, requiring the data controller to establish their non-negligence (Article 39-2). Nevertheless, the recoverable amounts remain modest (to say the least). Korean courts tend to be more conservative (compared to U.S. courts, for example) in assessing damages, awarding between KRW 100,000 to 200,000 per plaintiff in typical large-scale data breach cases. In addition, punitive damages are not recognized in data breach cases. While awards may increase in instances of intentional disclosure, they rarely reach the statutory ceiling, which itself is not substantial (KRW 3 million). With that said, class action may still make sense in some cases: (i) when the class is large enough that the per-person legal cost is lower than the expected damage award; (ii) when the class is large enough that despite the low amount awarded to each plaintiff, the aggregate amount is large enough to punish the company; or (ii) when the goal is mostly symbolic - to send a message to the company or generate noise, for example. Otherwise, it may not be worth pursuing for individual plaintiffs seeking financial remedy.